1613 lines
68 KiB
JSON
1613 lines
68 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--59f6f4a5-0e10-4c36-9c71-5690c25ed030",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2019-09-23T13:15:30.000Z",
|
||
|
"modified": "2019-09-23T13:15:30.000Z",
|
||
|
"name": "CERT-RLP",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--59f6f4a5-0e10-4c36-9c71-5690c25ed030",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2019-09-23T13:15:30.000Z",
|
||
|
"modified": "2019-09-23T13:15:30.000Z",
|
||
|
"name": "Evasive Sage 2.2 Ransomware",
|
||
|
"published": "2019-10-08T21:45:05Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--59f6f515-043c-4947-8052-568dc25ed030",
|
||
|
"url--59f6f515-043c-4947-8052-568dc25ed030",
|
||
|
"indicator--5a002e66-0924-4cc1-ba34-4d2c950d210f",
|
||
|
"indicator--5a002e66-2624-4b10-9db5-420a950d210f",
|
||
|
"indicator--5a002e66-874c-4c64-a1a3-4d2d950d210f",
|
||
|
"indicator--5a002e66-e384-4470-9a48-49d5950d210f",
|
||
|
"indicator--5a002e66-935c-4180-8284-4b63950d210f",
|
||
|
"indicator--5a002f24-0bf4-4910-8082-48b5950d210f",
|
||
|
"indicator--5a002f24-3040-4e33-bc00-4530950d210f",
|
||
|
"indicator--5a002f24-635c-4359-a94d-4c28950d210f",
|
||
|
"indicator--5a002f24-6610-4fa9-8f2a-41bc950d210f",
|
||
|
"indicator--5a002f24-681c-4eb7-9d01-4499950d210f",
|
||
|
"indicator--5a002f24-a3f8-450d-ac12-4783950d210f",
|
||
|
"indicator--5a002f24-f914-4587-a4c7-407d950d210f",
|
||
|
"indicator--5a002f24-da2c-4cd1-9d67-4bec950d210f",
|
||
|
"indicator--5a002f24-a744-4583-b461-462d950d210f",
|
||
|
"indicator--5a002f24-9798-4245-a328-4f08950d210f",
|
||
|
"indicator--5a002f24-8a44-4657-844e-4ff3950d210f",
|
||
|
"indicator--5a002f24-0888-4dc2-995f-461a950d210f",
|
||
|
"indicator--5a002f24-db50-4692-aa75-41b2950d210f",
|
||
|
"indicator--5a002f24-8064-4962-8e89-4248950d210f",
|
||
|
"indicator--5a002f24-4e7c-4224-9ae2-4219950d210f",
|
||
|
"indicator--5a002f24-b67c-4fc0-930c-4b88950d210f",
|
||
|
"indicator--5a002f24-5310-4e69-9e0c-45a4950d210f",
|
||
|
"indicator--5a01b247-4698-4534-994b-0d3302de0b81",
|
||
|
"indicator--5a01b247-e2bc-4bc2-8db6-0d3302de0b81",
|
||
|
"observed-data--5a01b247-4c64-4243-aed8-0d3302de0b81",
|
||
|
"url--5a01b247-4c64-4243-aed8-0d3302de0b81",
|
||
|
"indicator--5a01b247-56f4-4ce5-a856-0d3302de0b81",
|
||
|
"indicator--5a01b247-5750-42d7-b685-0d3302de0b81",
|
||
|
"observed-data--5a01b247-bd24-4446-83c4-0d3302de0b81",
|
||
|
"url--5a01b247-bd24-4446-83c4-0d3302de0b81",
|
||
|
"indicator--5a01b247-2b64-4301-a912-0d3302de0b81",
|
||
|
"indicator--5a01b247-6eac-4ad9-9ed4-0d3302de0b81",
|
||
|
"observed-data--5a01b247-d9a8-4623-8093-0d3302de0b81",
|
||
|
"url--5a01b247-d9a8-4623-8093-0d3302de0b81",
|
||
|
"indicator--5a01b247-6314-4f76-966e-0d3302de0b81",
|
||
|
"indicator--5a01b247-0fd4-43c8-8b1c-0d3302de0b81",
|
||
|
"observed-data--5a01b247-fa04-4911-8b0e-0d3302de0b81",
|
||
|
"url--5a01b247-fa04-4911-8b0e-0d3302de0b81",
|
||
|
"indicator--5a01b247-ad70-4630-b11f-0d3302de0b81",
|
||
|
"indicator--5a01b247-f12c-45af-aa87-0d3302de0b81",
|
||
|
"observed-data--5a01b247-8ad0-4725-921c-0d3302de0b81",
|
||
|
"url--5a01b247-8ad0-4725-921c-0d3302de0b81",
|
||
|
"indicator--5a01b247-12d4-49cd-abad-0d3302de0b81",
|
||
|
"indicator--5a01b247-e968-4459-b1ab-0d3302de0b81",
|
||
|
"observed-data--5a01b247-2180-4c50-a3a3-0d3302de0b81",
|
||
|
"url--5a01b247-2180-4c50-a3a3-0d3302de0b81",
|
||
|
"indicator--5a01b247-ae84-4c02-bbb3-0d3302de0b81",
|
||
|
"indicator--5a01b247-30d4-471b-ac42-0d3302de0b81",
|
||
|
"observed-data--5a01b247-4d0c-47f9-a482-0d3302de0b81",
|
||
|
"url--5a01b247-4d0c-47f9-a482-0d3302de0b81",
|
||
|
"indicator--5a01b247-875c-474a-acec-0d3302de0b81",
|
||
|
"indicator--5a01b247-355c-49e7-a274-0d3302de0b81",
|
||
|
"observed-data--5a01b247-a468-4fdd-83f6-0d3302de0b81",
|
||
|
"url--5a01b247-a468-4fdd-83f6-0d3302de0b81",
|
||
|
"indicator--5a01b247-8118-44b5-bae8-0d3302de0b81",
|
||
|
"indicator--5a01b247-78fc-48d5-822c-0d3302de0b81",
|
||
|
"observed-data--5a01b247-bb2c-41fe-9282-0d3302de0b81",
|
||
|
"url--5a01b247-bb2c-41fe-9282-0d3302de0b81",
|
||
|
"indicator--5a01b247-73c0-47c4-b479-0d3302de0b81",
|
||
|
"indicator--5a01b247-9c80-40b2-a921-0d3302de0b81",
|
||
|
"observed-data--5a01b247-6cf8-4d12-aae2-0d3302de0b81",
|
||
|
"url--5a01b247-6cf8-4d12-aae2-0d3302de0b81",
|
||
|
"indicator--5a01b247-adac-4729-a3ff-0d3302de0b81",
|
||
|
"indicator--5a01b248-59d0-49ca-a977-0d3302de0b81",
|
||
|
"observed-data--5a01b248-4658-4e34-bfe5-0d3302de0b81",
|
||
|
"url--5a01b248-4658-4e34-bfe5-0d3302de0b81",
|
||
|
"indicator--5a01b248-4870-4f78-8a6d-0d3302de0b81",
|
||
|
"indicator--5a01b248-3460-44db-917b-0d3302de0b81",
|
||
|
"observed-data--5a01b248-8b0c-4301-9503-0d3302de0b81",
|
||
|
"url--5a01b248-8b0c-4301-9503-0d3302de0b81",
|
||
|
"indicator--5a01b248-76b0-48e0-9e28-0d3302de0b81",
|
||
|
"indicator--5a01b248-08d4-44de-97f1-0d3302de0b81",
|
||
|
"observed-data--5a01b248-7488-419b-bd1d-0d3302de0b81",
|
||
|
"url--5a01b248-7488-419b-bd1d-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"osint:source-type=\"technical-report\"",
|
||
|
"type:OSINT",
|
||
|
"malware_classification:malware-category=\"Ransomware\"",
|
||
|
"misp-galaxy:ransomware=\"Sage 2.2\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59f6f515-043c-4947-8052-568dc25ed030",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:54.000Z",
|
||
|
"modified": "2017-11-07T13:16:54.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:54Z",
|
||
|
"last_observed": "2017-11-07T13:16:54Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59f6f515-043c-4947-8052-568dc25ed030"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59f6f515-043c-4947-8052-568dc25ed030",
|
||
|
"value": "http://blog.fortinet.com/2017/10/29/evasive-sage-2-2-ransomware-variant-targets-more-countries"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002e66-0924-4cc1-ba34-4d2c950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "download URL",
|
||
|
"pattern": "[url:value = 'http://sutranjsdf.info/1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002e66-2624-4b10-9db5-420a950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "download URL",
|
||
|
"pattern": "[url:value = 'http://xxxkeyoplw.top/2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002e66-874c-4c64-a1a3-4d2d950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "download URL",
|
||
|
"pattern": "[url:value = 'http://johnmoplan.top/1.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002e66-e384-4470-9a48-49d5950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "download URL",
|
||
|
"pattern": "[url:value = 'http://indiasoujapa.info/7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002e66-935c-4180-8284-4b63950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "download URL",
|
||
|
"pattern": "[url:value = 'http://mondayyesha.info/7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-0bf4-4910-8082-48b5950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = '00f1e3b698488519bb6e5f723854ee89eb9f98bdfa4a7fe5137804f79829838e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-3040-4e33-bc00-4530950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = '0eb72241462c8bfda3ece4e6ebbde88778a33d8c69ce1e22153a3ed8cf47cc17']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-635c-4359-a94d-4c28950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = '2b0b7c732177a0dd8f4e9c153b1975bbc29eef673c8d1b4665312b8f1b3fb114']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-6610-4fa9-8f2a-41bc950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = '43921c3406d7b1a546334e324bdf46c279fdac928de810a86263ce7aa9eb1b83']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-681c-4eb7-9d01-4499950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = '47a67a6fb50097491fd5ebad5e81b19bda303ececc6a83281eddbd6bd508b783']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-a3f8-450d-ac12-4783950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = '5b7d2b261f29ddef9fda21061362729a9417b8ef2874cc9a2a3495181fc466d0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-f914-4587-a4c7-407d950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a14ee6e8d2baa577a181cd0bb0e5c2c833a4de972f2679ca3a9e410d5de97d7e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-da2c-4cd1-9d67-4bec950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = 'b381d871fcb6c16317a068be01a7cb147960419995e8068db4e9b11ea2087457']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-a744-4583-b461-462d950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = 'bbc0e8981bfca4891d99eab5195cc1f158471b90b21d1a3f1abc0ee05bf60e93']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-9798-4245-a328-4f08950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cb6b6941ec104ab125a7d42cfe560cd9946ca4d5b1d1a8d5beb6b6ceb083bb29']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-8a44-4657-844e-4ff3950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = 'df64fcde1c38aa2a0696fc11eb6ca7489aa861d64bbe4e59e44d83ff92734005']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-0888-4dc2-995f-461a950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = 'eff34c229bc82823a8d31af8fc0b3baac4ebe626d15511dcd0832e455bed1765']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-db50-4692-aa75-41b2950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f5f875061c9aa07a7d55c37f28b34d84e49d5d97bd66de48f74869cb984bcb61']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-8064-4962-8e89-4248950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Kryptik.FXNL!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f93c77fd1c3ee16a28ef390d71f2c0af95f5bfc8ec4fe98b1d1352aeb77323e7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-4e7c-4224-9ae2-4219950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Kryptik.DMBP!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = '903b0e894ec0583ada12e647ac3bcb3433d37dc440e7613e141c03f545fd0ddd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-b67c-4fc0-930c-4b88950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/GenKryptik.AZLB!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c4e208618d13f11d4a9ed6efb805943debe3bee0581eeebe22254a2b3a259b29']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a002f24-5310-4e69-9e0c-45a4950d210f",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Kryptik.FXNL!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e0a9b6d54ab277e6d4b411d776b130624eac7f7a40affb67c544cc1414e22b19']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-4698-4534-994b-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Kryptik.FXNL!tr - Xchecked via VT: e0a9b6d54ab277e6d4b411d776b130624eac7f7a40affb67c544cc1414e22b19",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b93039baa64a21ed90457a80a636a9e5c56f1a00']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-e2bc-4bc2-8db6-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Kryptik.FXNL!tr - Xchecked via VT: e0a9b6d54ab277e6d4b411d776b130624eac7f7a40affb67c544cc1414e22b19",
|
||
|
"pattern": "[file:hashes.MD5 = '42550d2c763c023869aebe866ede77e9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b247-4c64-4243-aed8-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:55Z",
|
||
|
"last_observed": "2017-11-07T13:16:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b247-4c64-4243-aed8-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b247-4c64-4243-aed8-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e0a9b6d54ab277e6d4b411d776b130624eac7f7a40affb67c544cc1414e22b19/analysis/1510019719/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-56f4-4ce5-a856-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Kryptik.DMBP!tr - Xchecked via VT: 903b0e894ec0583ada12e647ac3bcb3433d37dc440e7613e141c03f545fd0ddd",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ee88d90a47dc738ea2e505b3e226e129c70c939a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-5750-42d7-b685-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Kryptik.DMBP!tr - Xchecked via VT: 903b0e894ec0583ada12e647ac3bcb3433d37dc440e7613e141c03f545fd0ddd",
|
||
|
"pattern": "[file:hashes.MD5 = 'b3a5732c4a3bfe4781a2a5d93111b99d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b247-bd24-4446-83c4-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:55Z",
|
||
|
"last_observed": "2017-11-07T13:16:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b247-bd24-4446-83c4-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b247-bd24-4446-83c4-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/903b0e894ec0583ada12e647ac3bcb3433d37dc440e7613e141c03f545fd0ddd/analysis/1509780134/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-2b64-4301-a912-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Kryptik.FXNL!tr - Xchecked via VT: f93c77fd1c3ee16a28ef390d71f2c0af95f5bfc8ec4fe98b1d1352aeb77323e7",
|
||
|
"pattern": "[file:hashes.SHA1 = 'feeae3fddb606fa45cbcf6b0b2c12fd4cf785113']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-6eac-4ad9-9ed4-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Kryptik.FXNL!tr - Xchecked via VT: f93c77fd1c3ee16a28ef390d71f2c0af95f5bfc8ec4fe98b1d1352aeb77323e7",
|
||
|
"pattern": "[file:hashes.MD5 = 'f7432080c1f41af950a86655a6af6833']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b247-d9a8-4623-8093-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:55Z",
|
||
|
"last_observed": "2017-11-07T13:16:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b247-d9a8-4623-8093-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b247-d9a8-4623-8093-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f93c77fd1c3ee16a28ef390d71f2c0af95f5bfc8ec4fe98b1d1352aeb77323e7/analysis/1510020302/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-6314-4f76-966e-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: f5f875061c9aa07a7d55c37f28b34d84e49d5d97bd66de48f74869cb984bcb61",
|
||
|
"pattern": "[file:hashes.SHA1 = '2a5035826371551552287ee2713906dba65ce3d3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-0fd4-43c8-8b1c-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: f5f875061c9aa07a7d55c37f28b34d84e49d5d97bd66de48f74869cb984bcb61",
|
||
|
"pattern": "[file:hashes.MD5 = '5cb7852dff9d0a6ffae7be5097ec14fd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b247-fa04-4911-8b0e-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:55Z",
|
||
|
"last_observed": "2017-11-07T13:16:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b247-fa04-4911-8b0e-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b247-fa04-4911-8b0e-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f5f875061c9aa07a7d55c37f28b34d84e49d5d97bd66de48f74869cb984bcb61/analysis/1510019822/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-ad70-4630-b11f-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: eff34c229bc82823a8d31af8fc0b3baac4ebe626d15511dcd0832e455bed1765",
|
||
|
"pattern": "[file:hashes.SHA1 = '377dc00f646b7c871c62efa7b84d0fbb54095e93']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-f12c-45af-aa87-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: eff34c229bc82823a8d31af8fc0b3baac4ebe626d15511dcd0832e455bed1765",
|
||
|
"pattern": "[file:hashes.MD5 = 'cf707cb91b8e6a3fd076c3ac0fbe7b89']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b247-8ad0-4725-921c-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:55Z",
|
||
|
"last_observed": "2017-11-07T13:16:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b247-8ad0-4725-921c-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b247-8ad0-4725-921c-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/eff34c229bc82823a8d31af8fc0b3baac4ebe626d15511dcd0832e455bed1765/analysis/1510020158/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-12d4-49cd-abad-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: df64fcde1c38aa2a0696fc11eb6ca7489aa861d64bbe4e59e44d83ff92734005",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ec046b0d74e2b245f1d2ae4cce5e4a4a47263c31']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-e968-4459-b1ab-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: df64fcde1c38aa2a0696fc11eb6ca7489aa861d64bbe4e59e44d83ff92734005",
|
||
|
"pattern": "[file:hashes.MD5 = '6916c7e84a54c0d6960d716b8e8bffd2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b247-2180-4c50-a3a3-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:55Z",
|
||
|
"last_observed": "2017-11-07T13:16:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b247-2180-4c50-a3a3-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b247-2180-4c50-a3a3-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/df64fcde1c38aa2a0696fc11eb6ca7489aa861d64bbe4e59e44d83ff92734005/analysis/1510019848/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-ae84-4c02-bbb3-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: cb6b6941ec104ab125a7d42cfe560cd9946ca4d5b1d1a8d5beb6b6ceb083bb29",
|
||
|
"pattern": "[file:hashes.SHA1 = '640aeed9a8d88f35affd46c23374620edaa58e3e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-30d4-471b-ac42-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: cb6b6941ec104ab125a7d42cfe560cd9946ca4d5b1d1a8d5beb6b6ceb083bb29",
|
||
|
"pattern": "[file:hashes.MD5 = '35c73da756c08dbcfba4cecb1bf93830']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b247-4d0c-47f9-a482-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:55Z",
|
||
|
"last_observed": "2017-11-07T13:16:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b247-4d0c-47f9-a482-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b247-4d0c-47f9-a482-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cb6b6941ec104ab125a7d42cfe560cd9946ca4d5b1d1a8d5beb6b6ceb083bb29/analysis/1509779839/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-875c-474a-acec-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: b381d871fcb6c16317a068be01a7cb147960419995e8068db4e9b11ea2087457",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd2200be3ec8510dd529531058e2e24e164809e72']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-355c-49e7-a274-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: b381d871fcb6c16317a068be01a7cb147960419995e8068db4e9b11ea2087457",
|
||
|
"pattern": "[file:hashes.MD5 = '4d8a0e28d39d34a97bc8f0470a26073f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b247-a468-4fdd-83f6-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:55Z",
|
||
|
"last_observed": "2017-11-07T13:16:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b247-a468-4fdd-83f6-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b247-a468-4fdd-83f6-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/b381d871fcb6c16317a068be01a7cb147960419995e8068db4e9b11ea2087457/analysis/1510019749/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-8118-44b5-bae8-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: a14ee6e8d2baa577a181cd0bb0e5c2c833a4de972f2679ca3a9e410d5de97d7e",
|
||
|
"pattern": "[file:hashes.SHA1 = 'c8a6ce85af6442b8d7202abd1023a90e24f782f9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-78fc-48d5-822c-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: a14ee6e8d2baa577a181cd0bb0e5c2c833a4de972f2679ca3a9e410d5de97d7e",
|
||
|
"pattern": "[file:hashes.MD5 = '9b224075f4a4366beb66cabbc18b7137']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b247-bb2c-41fe-9282-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:55Z",
|
||
|
"last_observed": "2017-11-07T13:16:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b247-bb2c-41fe-9282-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b247-bb2c-41fe-9282-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a14ee6e8d2baa577a181cd0bb0e5c2c833a4de972f2679ca3a9e410d5de97d7e/analysis/1510020027/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-73c0-47c4-b479-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: 5b7d2b261f29ddef9fda21061362729a9417b8ef2874cc9a2a3495181fc466d0",
|
||
|
"pattern": "[file:hashes.SHA1 = '87a1603e8f9a1f5193932fd3f74a4a740b2e68e3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-9c80-40b2-a921-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: 5b7d2b261f29ddef9fda21061362729a9417b8ef2874cc9a2a3495181fc466d0",
|
||
|
"pattern": "[file:hashes.MD5 = 'aedd0bf1d7b94b163827aec2f4c64d15']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b247-6cf8-4d12-aae2-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:55Z",
|
||
|
"last_observed": "2017-11-07T13:16:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b247-6cf8-4d12-aae2-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b247-6cf8-4d12-aae2-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5b7d2b261f29ddef9fda21061362729a9417b8ef2874cc9a2a3495181fc466d0/analysis/1509779516/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b247-adac-4729-a3ff-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: 43921c3406d7b1a546334e324bdf46c279fdac928de810a86263ce7aa9eb1b83",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b8dd2eb66f33c895883ec2d20e411d3287ba8e33']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b248-59d0-49ca-a977-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:55.000Z",
|
||
|
"modified": "2017-11-07T13:16:55.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: 43921c3406d7b1a546334e324bdf46c279fdac928de810a86263ce7aa9eb1b83",
|
||
|
"pattern": "[file:hashes.MD5 = '568f85f776c9cd061f56b7f4393b2eb5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b248-4658-4e34-bfe5-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:56.000Z",
|
||
|
"modified": "2017-11-07T13:16:56.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:56Z",
|
||
|
"last_observed": "2017-11-07T13:16:56Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b248-4658-4e34-bfe5-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b248-4658-4e34-bfe5-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/43921c3406d7b1a546334e324bdf46c279fdac928de810a86263ce7aa9eb1b83/analysis/1509779455/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b248-4870-4f78-8a6d-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:56.000Z",
|
||
|
"modified": "2017-11-07T13:16:56.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: 2b0b7c732177a0dd8f4e9c153b1975bbc29eef673c8d1b4665312b8f1b3fb114",
|
||
|
"pattern": "[file:hashes.SHA1 = '12c96f09d25cd6349d6e2395699dcae9be80401a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b248-3460-44db-917b-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:56.000Z",
|
||
|
"modified": "2017-11-07T13:16:56.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: 2b0b7c732177a0dd8f4e9c153b1975bbc29eef673c8d1b4665312b8f1b3fb114",
|
||
|
"pattern": "[file:hashes.MD5 = '94f37e6331d1d9172034fbdc27b447a6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b248-8b0c-4301-9503-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:56.000Z",
|
||
|
"modified": "2017-11-07T13:16:56.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:56Z",
|
||
|
"last_observed": "2017-11-07T13:16:56Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b248-8b0c-4301-9503-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b248-8b0c-4301-9503-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/2b0b7c732177a0dd8f4e9c153b1975bbc29eef673c8d1b4665312b8f1b3fb114/analysis/1510019973/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b248-76b0-48e0-9e28-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:56.000Z",
|
||
|
"modified": "2017-11-07T13:16:56.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: 0eb72241462c8bfda3ece4e6ebbde88778a33d8c69ce1e22153a3ed8cf47cc17",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd103a0032b7847a405f65d98af0a6c56c1622f67']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a01b248-08d4-44de-97f1-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:56.000Z",
|
||
|
"modified": "2017-11-07T13:16:56.000Z",
|
||
|
"description": "W32/Sage.KAD!tr - Xchecked via VT: 0eb72241462c8bfda3ece4e6ebbde88778a33d8c69ce1e22153a3ed8cf47cc17",
|
||
|
"pattern": "[file:hashes.MD5 = 'ce9b4fe0e4053369f1a172a9838ad8b8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-07T13:16:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a01b248-7488-419b-bd1d-0d3302de0b81",
|
||
|
"created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030",
|
||
|
"created": "2017-11-07T13:16:56.000Z",
|
||
|
"modified": "2017-11-07T13:16:56.000Z",
|
||
|
"first_observed": "2017-11-07T13:16:56Z",
|
||
|
"last_observed": "2017-11-07T13:16:56Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a01b248-7488-419b-bd1d-0d3302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a01b248-7488-419b-bd1d-0d3302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/0eb72241462c8bfda3ece4e6ebbde88778a33d8c69ce1e22153a3ed8cf47cc17/analysis/1510020155/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|